Routing packets based on DSCP tag

cyrusd · November 16, 2022, 2:11pm

Hi
Having two Routeros I want to tag all outgoing traffic of RO 1 and use the tag later in the host’s gateway (RO 2) for policy-based routing.
more explanation :
RO 1 (192.168.1.10/24) creates a packet and sets a tag on it then send it to its gateway (RO 2) (192.168.1.1)
The gateway (RO 2) receives and opens the packet and reads the tag, based on the tag number the router can decide what routing table the packet belongs to.
I think this can be done with DSCP tagging, am I right?
what is the proper way to achieve this scenario?
bear in mind that I can’t use the host (RO 1) source IP address for routing cause it changes regularly.
Thanks in adv.

rextended · November 16, 2022, 2:27pm

You need to be sure that between your two routers, no devices, such as those of the ISP, do not change or delete the DSCP.

# RO1
/ip firewall mangle
add chain=forward in-interface=<LAN1-INTERFACE> out-interface=<WAN-INTERFACE> action=change-dscp new-dscp=11 passthrough=yes
add chain=forward in-interface=<LAN2-INTERFACE> out-interface=<WAN-INTERFACE> action=change-dscp new-dscp=22 passthrough=yes

# RO2
/ip firewall mangle
add chain=prerouting dscp=11 routing-mark=!table11 action=mark-routing new-routing-mark=table11 passthrough=yes
add chain=prerouting dscp=22 routing-mark=!table22 action=mark-routing new-routing-mark=table22 passthrough=yes

sindy · November 16, 2022, 2:33pm

Indeed the DSCP/TOS field is the only field among the IP headers of a packet you can use to deliver a flag from one router to another, provided that you don’t need the original purpose of that field.

On RO 2, you just “translate” the DSCP value to a routing-mark value using an action=mark-routing rule in mangle->prerouting.

Just for the sake of completeness, there is also a possibility to use the priority field in the 802.1Q VLAN tag - if the VID in the tag is set to 0, the frame is handled as if it was not tagged, but the priority field of the tag is processed.

DarkNate · November 16, 2022, 3:07pm

While this is perfectly possible on RouterOS. But Tik hardware is not designed for QoE appliances. This will tax the CPU like hell in a production environment.

pe1chl · November 16, 2022, 3:15pm

Well, when you have already given up on fast path or fast track there is not much difference… and in cases where you want all kinds of different routing marks, you likely have to turn that off anyway.
Indeed you can use the DSCP tag in this way, but beware that there may already be a DSCP tag (nonzero) on part of your traffic, so you need to be prepared for that.
Also, it is probably not a good idea to just pick 2 random values and use those. It may be safer to study how TOS and DSCP work and then select values that do not have unintended side-effects later in the chain.

rextended · November 16, 2022, 3:44pm

Correct, like check if DSCP is 0 or not:

/ip firewall mangle
add chain=forward in-interface=<LAN1-INTERFACE> out-interface=<WAN-INTERFACE> action=change-dscp new-dscp=11 passthrough=yes dscp=0

And DSCP can be from 0 to 63, other values are reserved (and not accepted) for ECN that use the last two bit of ex TOS field.

cyrusd · November 17, 2022, 8:18am

So what’s the proper way to do it, except using the source IP address?

pe1chl · November 17, 2022, 9:12am

What model of router do you have, and what speed do you expect to get?